What is Pharma Hack & How to Clean it?

Waking up to a hack is one of the worst experiences a website owner can have. Even worse is when you find your posts are ranking for keywords of illegal drugs. That’s what we call a pharma hack and it’s notorious for crippling a site’s SEO.

Pharma hack is one of the most common hack attacks made on WordPress websites. The aim of this post is to understand how are pharma hacks executed and how you can prevent it from happening to your site.

What is the Purpose of a Pharma Hack?

On the internet, many drugs like Viagra, Nexium, Cialis, are banned which means they are restricted from being promoted or sold. Therefore some pharmaceutical companies try out illegal methods of promoting their products. Pharma hack have devastating effects on the compromised website.

Pharma Hacks Are Hard to Identify

It’s hard to spot a pharma hack. These hacks are not visible on the website pages. Even a look through the HTML source code won’t show you the spam links or content. But it does show up when someone is looking for the website on a search engine like Google. Whenever we search for something on Google the search result offers post links with a little description about the post below the links. A site that is under pharma hack, shows something related to the pharmaceutical products in the description on search result pages.

Suppose you have a website on news surrounding Hollywood stars called hollywoodnews.com. Someone is searching for information on the divorce of Brad Pitt and Angelina Jolie. Your site has covered the news in a blog post and it’s ranked on Google. When someone searches using the keyword ‘Brad Pitt Angelina Jolie divorce,’ your post appears in the first position in the search engine result. But in the description below the link of your blog post, one can view terms like Viagra, Nexium, Cialis, etc. A careful internet user will not click through such a link and in this way you will lose good organic traffic. Thus pharma hack is not something you can see on your websites itself but within Google searches making it hard to identify.

How is Pharma Hack Carried Out?

Pharma hack is carried out by hackers through a technique called Black Hat SEO. Before moving on with pharma hack, we must first understand what Black Hat SEO is. It will give us a picture of how pharma hacks are pulled off on a WordPress site.

In Black Hat SEO, the hacker exploits a vulnerability on your website to break into your website and make a mess up your SEO. SEO stands for search engine optimization. It’s a process that enables your website visibility on search engines like Google, Bing, etc. Good SEO practices help rank posts from your blog on search engines. When a post appears on the first page of say Google, it draws a lot of organic traffic to the site. Whereas bad SEO practices ruin chances of ranking a post in the first page. This is why sometimes, pharma hacks are carried out by rival websites.

Suppose Site A ranks in the first position for the keyword ‘expensive watch’ and Site B (the rival site) ranks in the second position for the same keyword. A majority of the people looking for ‘expensive watch’ go to Site A because it ranks higher, it’s the first thing that appears in the search result of Google. Site B resorts to pharma hacking to bring down the SEO of Site A. Owing to bad SEO practices the ranking of Site A plummets which enables Site B to take its place.

When a hacker hacks a WordPress site, he wants to make sure that he is delayed from being discovered. He knows that once the site owner finds out about the hack, he’ll clean the site and the hacker will lose access to the website. Therefore, to stall discovery, hackers encode malicious codes, i.e. they make them look like any other WordPress files. One look at the file will never reveal that they are holding malicious codes inside. One popular place where hackers hide malware is the plugin directory of the File Manager. A File Manager is where all WordPress files are stored in a structured manner. When you install a plugin on your website, all information about the plugin is stored in a folder called plugin in the File Manager.

Most website owners have no business in the File Manager and therefore they never visit it. It’s a perfect place to hide malicious content. Therefore it’s wise to look closely into the File Manager once in a while.

How does one recognize malicious content in the File Manager? Suppose there is a plugin on your website called Yoast plugin. When you install the plugin on your WordPress site, let’s say only two default files of the plugins are stored in the File Manager. The name of the default files is “Yoast.php”, and “Yoast.gif.” A hacker trying to disguise its malicious file creates another file called “Yoast.cache.php”. When you look into the folder of Yoast plugin, all these files would seem legitimate to you. But any file outside the default files of a plugin should raise suspicion because it could be a file placed by hackers for their own benefit.

How to Clean WordPress Pharma Hack?

There are two ways of cleaning a pharma hack. One, you can do it manually or two, use a security service that’ll take care of the hack at the click of a button. We’ll discuss them both so that you can decide which one is more convenient for you.

Manual Cleaning:

To manually clean the hack you’ll have to take two steps:

Remove the File from the Plugin Directory

Remove the Entries from the Database

WARNING: While manually cleaning you’ll be making changes to your WordPress files and database. Unless you are an experienced developer, we’d recommend you tread cautiously. But if you have no experience with handling WordPress files and database, we’d urge you to use an auto malware cleaner (more on this later).

1. Remove the File from the Plugin Directory

To remove the file from the Plugin directory, you will need to access the directory. Log in to your web host and go to a page called cPanel. There you should find an option for File Manager. Select it and a page will open that’ll look something like this:

On the left side of the File Manager, there is a folder called public_html. When you select it, the folder will expand and you’ll see three more subfolders named wp-admin, wp-content, and wp-includes.

Select wp-content and a bunch of other subfolders will appear. Here you should see a folder called Plugin.

If you have 5 plugins installed into your WordPress site, files of all those plugins are available in this folder. The reason we recommend this particular folder to start with is because hackers often target this in the Plugin folder.

To identify malicious files, you’ll first have to learn what are default files for each of these installed plugins. Then match those files with the one present on your plugin folder. Make sure that your viewing options are set to Show Hidden Files. If not then go back to the cPanel, and click on File Manager. A popup will appear where you’ll have to select ‘Show Hidden Files.’

If you find the presence of a file that is not a default file, congratulations, you’ve found the malicious folder. Delete them!

And thus we complete the first leg of the journey. In the second leg, we need to delete database entries that contain malicious codes.

2. Remove the Entries from the Database

To access your database, you will have to visit your web host account. Log in to your web host and go to a page called cPanel. There you should be able to find an option for phpMyAdmin. Select that and a page will open that would look something like this:

In the database, select the wp_options table. It will allow you to browse through the table content.

In the wp_options table, you’ll need to search for the following database entries and delete them:

class_generic_supportwp_check_hashftp_credentialswidget_generic_supportfwprss_% (Delete all matches to rss_ expect, rss_excerpt_length, and rss_language)

For someone without any technical knowledge, auto cleaning is a safe option. Using a security service like MalCare, Sucuri, Wordfence, etc is ideal. In most security services like Sucuri, you’d have to raise a ticket to clean your hacked site. It’s a time-consuming process and the more you wait to clean your site, better are the chances of Google blacklisting your site which directly affects your site’s organic traffic.MalCare is the only malware cleaning service in the market that allows you to clean your site at the click of a button. Your choice of security service should be dependant on your needs and affordability.

With that, we have covered everything on pharma hacking which is one of the most common hack attacks made on WordPress websites. Any questions? We’d be happy to answer, justwrite to us.